General Data Protection Regulation (GDPR)
and Managed File Transfer

There are many ways of exchanging personal data. System-to-system methods include uploading batch files, scheduled FTP transfers etc. System-to-human transfer includes planned reports, ad-hoc enquiries etc, while human-to-human transfer includes e-mails, flash drives, instant messaging and more.

Companies without a centralized overview of their data exchange are at risk of a data breach. Whether intentional or accidental, data leaks from key business applications continues to be a real threat for many companies. Leaks can result in data breaches that violate rules, including: internal compliance regulations, partner or customer service level agreements (SLAs), and privacy or data protection laws like GDPR.

Failing to comply with GDPR requirements, whether intentional or accidental, can be catastrophic for a company. Violations can cost your company of potentially €10-20 million or up to 2-4% of worldwide group turnover in fines, time and money. The penalties for inadequate protection of personal data also have an impact on those who are directly responsible, e.g. Managing Directors, board members, Data Controllers, CISO etc.

A Data Protection Impact Assessment (DPIA) is a risk assessment audit for technologies that process personal data. When running a DPIA, you need to look at the following areas:

• Application design
  Has the application been designed with data protection in mind? Does it follow the principles of ‘data protection by technology design’ and ‘data protection by default’?
• Secure exchange of data
  Is data encrypted and anonymized? Can you ensure the confidentiality, integrity and availability of systems, services and recovery after a physical or technical incident?
• Ability to delete an individual’s personal data
  Individuals have the right to request that companies delete any Personally Identifiable Information (PII) relating to them, just by withdrawing their consent. For individual cases, this request might be difficult to fulfill, but is still achievable. However in large organizations, or if many requests come in at the same time, it is nearly impossible to do without prior preparation. One preparatory measure could be to set up a consent management hub to track the whereabouts of PII. However, before creating such a hub, you need integration so that systems holding and/or transferring PII have interfaces to interact with the hub.
• Operating secure cloud services
  The majority of companies use cloud services from external service providers to some extent. The provider liability introduced by GDPR means that providers of cloud services can increasingly be held liable. However, it’s still challenging to choose the right service provider and evaluate privacy measures. Certifications and attestations by external auditors are a good sign.
• Legal framework conditions
  Exchanging data between EU member states and the USA is only possible under GDPR if binding corporate regulations or contracts based on the EU standard contractual clauses have been concluded within an affiliated group of companies.
  
  Companies must enter into order processing agreements or nondisclosure agreements (NDA) with their customers, IT service providers, consulting partners and data center providers. Generic order data processing contracts are not sufficient. Order processing agreements by GDPR must contain a section specific to the order in question. This describes the order-specific technical and organizational data protection measures in detail. For unstructured data there are still many FTP channels around while at the same time internet file sharing services have become common. For both scenarios, it can be difficult to have a reliable order-processing contract.
• Burden of proof
  Due to the accountability requirements of the GDPR, documentation is extremely important and needs to include detailed data protection logs.
  Currently there is no official GDPR compliance certification process. However, the effectiveness of the measures can and should be tested and confirmed by measures such as internal audits and external certifications such as. ISO/IEC 27001 and ISAE 3402 (SOC 1) Type 2.

Sharing files amongst people and systems is essential to today’s increasingly automated business operations. However, if file sharing was not considered in the design, execution and monitoring of core business processes, there will be costly vulnerabilities.

A secure Managed File Transfer (MFT) solution gets business-critical data to the right place at the right time, while also letting the sender track end-to-end and prove the data has been received. Alongside classic PII, this could also be financial data, price lists, contracts, payment information, intellectual property, inventory, orders or supply chain data etc. Some of the above will of course also include PII.

SEEBURGER BIS MFT is a solution that provides secure and monitored end-to-end management of all file transfers.

Besides being GDPR-compliant, data protection is important for many other reasons in various industries:

• Retail: Exchanging large product graphic files with suppliers. Sharing financial details with banks
• Consumer Goods: Brand teams collaborating with external parties on marketing material
• Media: Transferring digital video files and creative assets
• Manufacturing: Distributing marketing content to regionally located centers
• Engineering: Multi-party exchange of CAD files for virtual teams
• Financial Services: Payment processing and the exchange of payments for services and goods

SEEBURGER BIS MFT is a solution that can help businesses comply with GDPR. Every file is governed by policies, which helps validate, check and securely move data of any size between internal applications, companies, partners, customers and employees.

Benefit from the business advantages of managed file transfer, which go beyond compliance, while avoiding the hidden costs of "free" file sharing